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1 Author's Biography 





Figure 1: The author Xavier NOUMBISSI NOUNDOU 


Xavier NOUMBISSI NOUNDOU is from CAMEROON and holds the title Diplom- 
Informatiker [DipL.-INF.] | (roughly equivalent to a canadian Master’s degree in Com- 
puter Science) of the University of Bremen ” in Germany. 


After his Diplom-Informatiker degree, he worked 21 months (November 2007 — July 2009) 
as Software Developer for Siemens Healthcare ° in Erlangen (Germany). 


After Siemens, Xavier started his doctoral research in Program Analysis and Software 
Engineering in the Watform Lab at the University of Waterloo + (Waterloo, On- 
tario, Canada). 


From January 2012 to August 2012 (8 months), Xavier worked in the Java J9-JIT 
compilation team of IBM Toronto Lab. in Markham (Ontario, Canadat) as a graduate 
intern in compiler optimization. 


Xavier is professionally proficient in the French, English and German languages. 


For his DIPL.-INF. degree, Xavier worked on the automatic generation of test cases 
for reactive systems. The algorithms he developed are used by the German company 





lhttp://www.inb.uni-luebeck.de/~boehme/diplinf .html 
*http://www.uni-bremen.de 
2http://www.healthcare.siemens.com 
*nttp://www.uwaterloo.ca 
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Verified Systems International GmbH °. The title of his diplom-informatiker thesis 
was "Statistical test cases generation for reactive systems”. 


Xavier currently works on his PhD degree. His research focuses on program analysis 
and software engineering. He is the creator of sant °, which is a tool to perform static 
taint analysis on programs written in the C programming language. 


2 Introduction 


Businesses increasingly use software. This is even more relevant for companies relying on 
e-commerce. However, software is error-prone and contain several bugs. Security bugs 
are one of the major problems faced by companies today. In the worst case, security 
bugs enable unauthorized users to gain full control of an application. 


My PhD thesis introduces the concept of tainted paths and describes techniques and 
algorithms to compute them in any imperative programming language that uses pointers 
(C, C++, Java, etc.). I implemented these algorithms in saInrT. 


SAINT does not require the developer to annotate the program under analysis. SAINT im- 
plements a flow-sensitive, interprocedural and context-sensitive analysis that computes 
tainted paths in C programs at compile-time. 


3 Installation Instructions 


This section explains how to install sarnT on a ”Linux” machine. We haven’t tested 
SAINT on a” Windows” or ” Mac OS” machine, but the installation should follow similar 
steps. 


3.1 Required Software 

This section enumerates all software that you need to run SAINT. 
e SAINT: http://github.com/xnoumbissinoundou/yeroth.rd.saint 
e The compiler infrastructure LLVM, version 3.3: http://llvm.org 


e The DSA pointer analysis poolalloc: http://github.com/llvm-mirror/poolalloc 


3.2. Environment Variables 


Table 1 that shows all environment variables that you have to define and export in order 
to successfully run SAINT. 


Vv You define and export an environment variable ENV_VAR by writing the following 
commands in your ”$HOME/.bashrc” file: 





°http://www.verified.de 
Shttps://www.github.com/xaviernoumbis/saint 
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Environment variables | Description 
SAINT_HOME SAINT home folder (e.g. /home/user/saint) 
SAINT_BIN SAINT binaries folder (e.g. SSAINT_HOME/bin) 
LLVM_ HOME 1lvm home folder (e.g. /home/user/Ilvm) 
LLVM_LIB 11vm compiled libraries folder 

(e.g. $LLVM HOME/build/Release-+ Asserts /lib) 
LLVM_BIN 11vm compiled binaries 

(e.g. SLLVM_HOME/build/Release+Asserts/bin) 
POOLALLOC poolalloc home folder (e.g. /home/user/poolalloc) 
CLANGLLVM BIN clang+1lvm binaries’ folder 

(e.g. /home/user/clang+llvm/bin) 





Table 1: Table with all environment variables required to install and use SAINT 


ENV_VAR=path_to_folder 
export ENV_VAR 


4 How to Configure " clang+llvm" for use with SAINT 


a) Download and unpack clang+llvm, version 3.3. 


b) Add the bin folder to your environment variable PATH. 
V For instance by adding the following line in your file ” $HOME/.bashrc” 


PATH=$PATH : $CLANGLLVM_BIN 
export PATH 


5 How to Configure "LLVM" for use with SAINT 


a) Open the file ” $LLVM_HOME/1ib/Analysis/Makefile” and append the string ” saint” 
to the ” DIRS” variable. Following is an excerpt of the file. 


##===- lib/Analysis/Makefile ------------------------------- *- Makefile —*-===## 
# 

# The LLVM Compiler Infrastructure 

# 


# This file is distributed under the University of Illinois Open Source 

# License. See LICENSE.TXT for details. 

# 

HSS Ss soa S SR SR SSS nana SSeS Soh SSR saeco SSS ===## 
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LEVEL = ../.. 

LIBRARYNAME = LLVMAnalysis 

DIRS = IPA saint 

BUILD_ARCHIVE = 1 

include $(LEVEL) /Makefile.common 


b) Run the script saint-configure.sh. 


6 Folder Structure 


The following folders constitute sarntT’s directory structure: 
1. bin: folder with the scripts: 
e saint-gen-ir.sh: generates the LLVM IR for code analyzed by saint. 
e saint-run-llvm-opt.sh: runs LLVM (opt binary) with saint as plugin. 
e saint-configure.sh: configures and compiles poolalloc and LLVM for saInrt. 
. benchmarks: folder with sample scripts to run SAINT. 
. cfg: folder with source, sink, and sanitizer configuration files 
. projects: folder with sample projects. 


. doc: folder with the manual. 


aD oO FP wo bd 


. src: folder with all C++ source files, and Bash scripts to compile and run SAINT. 


7 Howto Compile and Run SAINT 


¥ You need to execute the command "make -f Makefile.saint" within the folder 
”*$LLVM_HOME/1ib/Analysis/saint” to compile SAINT. 


Also, SAINT gets compiled when you run it using the Bash script saint-run-1llvm-opt.sh. 


7.1 Configuration Files 


Configuration files are found in the folder ”$SAINT_HOME/cfg”. There are three config- 
uration files: 


e sources.cfg: taint sources configuration file 
Each line of the file specifies a function name and an integer ”x”. ”x” is the 
argument of the function that is tainted. 
If ”x” is zero (0), then it is the return value of the function that is tainted. 
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ey: 


fopen,0 
fgets,1 


The previous lines specify that fopen returns a tainted value, and that fgets 
taints its first argument. 


sinks.cfg: taint sinks configuration file 
Each line of the file specifies a function name and an integer ”y”. ” 
argument of the function that must not received a tainted value. 


”y” is never equal to zero (0). 


y” is the 


sprintf,1 


The previous line denotes that sprintf must not received a tainted value as its 
first argument (i.e. sprintf is sensible function. 


sanitizers.cfg: sanitizers configuration file 
SAINT doesn’t yet implement this functionality. 


How to Run SAINT 


Among others, SAINT source folder contains the following two important Bash scripts: 


We encourage users to look at the sample scripts in the folders ” projects” and ” benchmarks” 


e saint-gen-ir.sh: this script is used to generate and merge 1lvm intermediate 


representation (IR) files. 


e saint-run-opt.sh: this script is used to run the analysis of SAINT on the program 


under analysis. 


to learn how to use saint-gen-ir.sh and saint-run-opt.sh. 


7.3 


How to Get Debug Messages from SAINT 


